Skip to main content

GR140DG/GR140IG EUVDEUVD-2026-27337

| CVE-2026-31196 HIGH
OS Command Injection (CWE-78)
2026-05-05 mitre GHSA-489r-v3h6-c72q
8.8
CVSS 3.1 · Vendor: mitre
Share

Severity by source

Vendor (mitre) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from Vendor (mitre) · only source for this CVE.

CVSS VectorVendor: mitre

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 06, 2026 - 21:30 vuln.today
CVSS changed
May 06, 2026 - 19:22 NVD
8.8 (HIGH)
CVE Published
May 05, 2026 - 00:00 nvd
HIGH 8.8

DescriptionCVE.org

The traceroute diagnostic handler in /bin/httpd_clientside for ALTICE LABS / SFR France GR140DG and GR140IG fibre CPE/Router/Gateway, inserts unsanitized user input into a system() call, allowing authenticated remote attackers to execute arbitrary commands as root via crafted destAddr parameters using shell command substitution.

AnalysisAI

Authenticated command injection in ALTICE LABS GR140DG and GR140IG fiber gateways allows remote attackers with valid credentials to execute arbitrary commands as root through the traceroute diagnostic handler. The vulnerability exists in the /bin/httpd_clientside component where unsanitized destAddr parameters are passed directly to system() calls, enabling shell command substitution attacks. With CVSS 8.8 (High) but EPSS exploitation probability of only 0.04% (12th percentile), this vulnerability affects widely-deployed ISP-managed CPE devices in France (SFR network) but shows no evidence of active exploitation or public POC availability at time of analysis.

Technical ContextAI

This is a classic OS Command Injection vulnerability (CWE-78) in embedded Linux firmware for fiber-optic customer premise equipment. The /bin/httpd_clientside binary provides a web-based diagnostic interface where the traceroute function accepts a destAddr parameter containing destination IP addresses or hostnames. The vulnerable code passes this user-controlled input directly to the system() library call without sanitization, allowing shell metacharacter injection. Command substitution techniques like $(malicious_command) or malicious_command can break out of the intended traceroute command context. Since the httpd_clientside process runs with root privileges (common in embedded device architectures for hardware access), successful exploitation grants complete system control. The affected GR140DG/GR140IG are GPON fiber residential gateway models deployed by SFR (France) and potentially other Altice Group ISPs across Europe.

RemediationAI

No vendor-released patch or firmware update has been identified through available references at time of analysis. ISP customers using SFR-managed GR140DG/GR140IG devices should contact SFR technical support to request firmware status and potential updates, referencing CVE-2026-31196 and XEROD-2026-0002. For enterprise or self-managed deployments, implement immediate compensating controls: (1) Restrict management interface access to trusted internal networks only - block WAN-side access to administrative ports (typically TCP 80/443/8080) via firewall rules or device ACLs; (2) Disable remote management features if not operationally required, forcing local-only administration; (3) Implement strong authentication with complex passwords for all administrative accounts and regularly rotate credentials; (4) Monitor device logs for unusual traceroute diagnostic activity or failed authentication attempts; (5) If devices support it, disable the web-based diagnostics interface entirely and use CLI-based management. Note that disabling diagnostics may impact ISP remote troubleshooting capabilities. Long-term solution requires vendor firmware patch - escalate with Altice Labs and service provider for patch roadmap. Consider hardware replacement if vendor support is discontinued.

More in N A

View all
CVE-2026-31072 CRITICAL POC
9.8 May 19

Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali

CVE-2026-36356 CRITICAL POC
9.1 May 05

Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST

CVE-2026-31071 CRITICAL POC
9.1 May 19

Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al

CVE-2025-66391 HIGH POC
8.8 Jun 17

In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o

CVE-2026-26740 HIGH POC
8.2 Mar 18

Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when

CVE-2025-60464 HIGH POC
7.8 Jun 25

Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_

CVE-2026-36355 HIGH POC
7.7 May 05

Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc

CVE-2025-60474 HIGH POC
7.5 Jun 24

Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s

CVE-2026-38639 HIGH POC
7.5 Jun 26

An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S

CVE-2026-38641 HIGH POC
7.5 Jun 26

Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge

CVE-2026-38637 HIGH POC
7.5 Jun 25

An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S

CVE-2026-38640 HIGH POC
7.5 Jun 25

Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce

Share

EUVD-2026-27337 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy